3 Replies Latest reply on Dec 1, 2013 4:31 AM by Carl Wilson

    Web Services in Remedy with Client Side SSL Certificates

    Scott Skeate
      Share This:

      Anyone have experience setting up Web Services with SSL using both Server and Client side certificates? Probably more accurately, it is setting up Java and AR configurations to use both certificates as WS uses Java to make the connections.

       

      We are running on Linux 5.5 (ITSM 7.6.04 SP1).  The target web service is on a Windows based .NET environment with an ITSM 7.5.06 back end.  They gave us a client side certificate (pfx) file.  We have installed it according to directions provided by support (and elsewhere in these communities) and added lines to ar.conf indicating where it is (restarting AR as well).  We can connect to the target web server without error but not to the target application folder.  We get a 403.7 error (Forbidden) using other utilities at the Java level when trying to get to the target application folder.  It appears that Java is not passing the client side certificate when it is asked for by the target server.  Our .NET programmers had to classify the cert as an X509Certificate2 type to make the connection from a .NET environment on our side, but they were able to finally connect.  This classification makes available additional classes within the certificate.

       

      If anyone has experience on getting this set up, I’d appreciate hearing from you.  I suspect we need to develop and configure some new Java Class to handle this.

        • 1. Web Services in Remedy with Client Side SSL Certificates
          Scott Skeate

          The originally supplied document titled "How to Configure the AR System web services plug-in to work with SSL and/or Client Certificates" is dated and for the most part is accurate.  However, for recent versions of AR System (in my case 7.6.04 SP1), the plug-in server is java based and is started out of armonitor.conf.

           

          The lines in the document for configuring AR Server to use the client certificate java keystore parameters is no longer correct. 

           

          1. Addthe following lines to the ARServer’s ar.conf or ar.cfg file:
            ARF-Java-VM-Options:-Djavax.net.ssl.keyStore=/home/arsystem/my_key.pfx
            ARF-Java-VM-Options: -Djavax.net.ssl.keyStorePassword=mypass
            ARF-Java-VM-Options: -Djavax.net.ssl.keyStoreType=pkcs12
            NOTE: You will need to adjust the path and filename of the keyStore and thepassword of the keyStorePassword to match your environment.

           

          You do not need the lines above in ar.conf.

           

          Instead, the line in armonitor.conf that starts the java plugin server needs to have these entries added as in:

           

          OldLine:

           

          /opt/java/jre_i586/bin/java -Xmx512m -classpath/opt/bmc/ARSystem/pluginsvr:/opt/bmc/ARSystem/pluginsvr/arpluginsvr7604_build002.jarcom.bmc.arsys.pluginsvr.ARPluginServerMain -x <ServerName> -i /opt/bmc/ARSystem

           

          NewLine:

           

          /opt/java/jre_i586/bin/java -Djavax.net.ssl.keyStore=/home/arsystem/my_key.pfx -Djavax.net.ssl.keyStorePassword=mypass -Djavax.net.ssl.keyStoreType=pkcs12 ‑Xmx512m-classpath /opt/bmc/ARSystem/pluginsvr:/opt/bmc/ARSystem/pluginsvr/arpluginsvr7604_build002.jarcom.bmc.arsys.pluginsvr.ARPluginServerMain -x <ServerName> -i /opt/bmc/ARSystem

           

           

          Additionally, for Developer Studio to use a client certificate in the Java keystore locally, save the.pfx file on your local machine and add the following lines to devstudio.ini

           

          -Djavax.net.ssl.keyStore=c:\MyKeys\my_key.pfx
          -Djavax.net.ssl.keyStorePassword=mypass
          -Djavax.net.ssl.keyStoreType=pkcs12


          • 2. Re: Web Services in Remedy with Client Side SSL Certificates

            Is there any way to get Developer Studio to use the cert from the local machine cert store instead of storing the cert password in clear text in the ini file?

            • 3. Re: Web Services in Remedy with Client Side SSL Certificates
              Carl Wilson

              Hi Dana,

              the options in the .ini file are where you define how the Developer Studio access the Keystore where the certificates are stored, not the actual certificate.  The password you see is for Developer Studio to access the local Keystore you have created containing the certificates.

               

              Cheers

              Carl

               

              http://www.missingpiecessoftware.com/